Tuesday, July 2, 2013

Packet Sniffing With WIRESHARK

I will be going over the general terminology that we will need to know about packet sniffing (such as “what is a packet?"), and why someone would want to sniff their network (for both black hat and white hat purposes). This thread will encompass the fundamentals of packet sniffing with Wireshark, and more complex concepts as well. For now, though, I will cover the basic terms you should know prior to continuing on with this thread. I will also assume that you know the core concepts and terminology of networking as well.


Packet: A packet is, at its core, is simply a certain amount of data sent over a network. To put it into perspective, whenever you receive data from the internet, it is going to your PC (or whatever ED you are using at the time) in the form of a multitude of little packets.

Promiscuous Mode: This is an option for most packet sniffers that allows you to put your NIC (Network Interface Card; the physical component that establishes the connection between the PC and network cable) in a mode that allows you to modify network traffic and inject different protocols. An example of this would be as follows: Lets say I was using a packet sniffer in Promiscuous Mode and wanted to modify the protocols for Google.com. Instead of wanting the Google banner as the actual banner, I could instead change it to, lets say, Hack Forum’s banner.

Monitor Mode: This is the mode for your NIC that lets you simply view what’s going on between your machine and the network it is connected to. You do not need Administrative rights to do this.

Frames: ‘Frames’ in the packet sniffing world simply means “a series of data", which, include, ‘packets’.

Now that you’ve got the basic terminology down that you will need to begin your journey of packet sniffing, now you must be asking yourself: what exactly is ‘packet sniffing’, and why would I want to do it? Now, in reference to the definition of a ‘packet’, a packet is but a certain amount of data sent over a network. Therefore, packet-switching (the act of sending and receiving packets) is used frequently to connect to websites and whatnot. Packets, as previously stated, also contain data within them. This data (while using Wireshark or TCPDump) can be listened to (or, in other words, ‘viewed’ if you are using Monitor Mode on your packet sniffer; in Promiscuous Mode you can actually tamper with the data, but that is for another day of chat) and seen as for what your network is truly doing. Basically, it tells you “what’s going on with my network?". Some people in IT may need to know why something isn’t sending properly, or who is on my network. All of these inquiries can be answer properly with packet sniffing. However, it can be used for malicious purposes as well, such as stealing passwords and such. Now, there are 7 layers you should familiarize yourself with when you are packet sniffing with Wireshark.

This image (known as the OSI Model) shows us the layers on how a network communicates. As shown, it divides the means of connection into 7 distinct layers. The further explaining of the layers are explained below.
  • Layer 7: This is the transport layer in which mainly consists of HTTP connection to a website. This is what your web browser (application) shows as the result of successfully receiving the packets. This is what you will be seeing on your monitor when the packets have been successfully received and built (also referred to as the ‘end product’). This isn’t necessarily the part that is interesting about packet sniffing. Layer 4 and below is where packet sniffing becomes extremely fun.
  • Layer 6: This is the layer that typically involves an SSL (Secure Sockets Layer ) protocol. It is used by many websites to send data securely.
  • Layer 5: All this layer describes is the creation of the session layer.
  • Layer 4: Now, here is where packet sniffing starts to shine. Layer 4 has to do with the transporting of packets. You know, what protocol am I using? Is it TCP or UDP? If I were on YouTube, for example, it would appear as ‘UDP’. But, if I were to go to Google, it would be ‘TCP’.
  • Layer 3: This is the layer where the actual packets reside. This is where you would be getting into how the packets get put together, and the source and destination address. This layer will show you the little bits of data (packets) that will be going through your wire (or, if you’re on WiFi, through the atmosphere) and reassemble on the other end, hopefully giving you the desired results (correct webpage). If, however, these packets get sent out of order, you would get a corrupted page. This isn’t that common among webpages, but with downloads, this is how you get a corrupted file.
  • Layer 2 & 1: This is the actual physical layer of your network and the components that it needs to communicate properly. This is all about the copper in the ground and your ED (also Ethernet cables and such. You get the idea.). Layer 1 focuses on the actual waves and particles behind communication (for example: satellite).
The layers listed above will give you a better perception when you’re packet sniffing. Getting to know the above layers will help you dissect the actual information you will log with Wireshark. Now that we’ve got that out of the way, lets move on to actually using Wireshark, and putting it into perspective. The first thing you want to do once you have downloaded Wireshark is, simply, set it up. Go through the Install Wizard’s prompts and choose to ‘run’ Wireshark. You can also use the desktop icon if you chose to add one to your desktop. Now assuming that you executed the program, a window should open up and it will look like the one below :

From here, you now have access to a handy GUI interface to which you can now start capturing data with. You’re going to want to click on
your NIC below the ‘Start’ button and click ‘Start’. From here, you should have a window similar to this: 

As you can see, on the top section of Wireshark there will be your packets that you are currently logging (this depends on the webpages you currently have open in your web browser. If you wanted, you could open up a new tab and go on over to Hackforums.net and switch back to Wireshark to see the packets rolling in).

As you can see from the new pane in Wireshark, the first column on the section (from left to right) reads ‘No.’ (which stands for ‘number’). This will tell you want number packet it is since you started capturing (or sniffing). On the next column to the right, it reads ‘Time’, which basically means how long it took since you started capturing for the packet to be received. The third column shows the source IP address (the packet’s origin), and the fourth column shows the destination IP address. And, the fifth column shows the protocol, whether it be Domain Name Server or Transmission Control Protocol, or HyperText Transfer Protocl (to be very brief about HTTP, you do not want to login in to websites while you’re on HTTP. The protocol transfers your passwords non-hashed and in plain text. This means that it is easy for someone who is sniffing your network to get your login). And, finally, the ‘Length’ and ‘Info’ column show the more advanced information of the packet.

Now, depending on what you want to do, you can choose to filter the types of packets via the ‘Filter’ bar at the top of the window. Lets say that you wanted to view only HTTP requests. You would then go to the Filter bar and type “http.request". This command would just show the packets of interest. Alright, remember when I said when you were streaming that you could go and visit a website of your choice (I recommended Hack Forums) and see the packets be logged? Well, browse through the log and look to the right column for something with ‘hackforums’ in the URL. Once you find it, right click on it and hit “Follow TCP Stream". Wireshark should come up with a new window with red text showing what data you sent, and in blue what data you received. Again, this shows all of the raw data within the packet, which I would get into if this weren’t a fundamental guide to Wireshark.


Post a Comment